Chris Duckett reports:
Drupal’s security team has released a “public service announcement” calling upon all users of the Drupal content management framework to consider their sites as compromised, and to start afresh, unless their sites were patched against the SQL injection attack revealed two weeks ago within seven hours of the announcement of the vulnerability.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC, that is seven hours after the announcement,” the Drupal security announcement said.
Read more on ZDNet.